Sandboxie Isolation Demonstration: Cryptoplocker

[PiwPi]

On the Sandboxie homepage there is a youtube video demonstrating the effectiveness of SB against cryptolocker https://www.youtube.com/watch?v=aMtyGNviiRY
I noticed in the video, and it's pointed out in the youtube comments, that at the 02:15 mark it shows the files that got encrypted by cryptolocker. One of those files was outside of the sandbox directory. The file is "Penguins.jpg" and it shows the location as C:\Users\Public\Pictures\Sample Pictures.

I'm curious how this file was able to get encrypted by cryptolocker. Did Sandboxie fail to fully protect the system? Was it some leftover file from testing? Anyone know?

[Buster]

The malware was successfully contained but for some reason Sandboxie is not returning a fake path. The path that should be showing is the path to real system, like it does with "Penguins.jpg" file, but instead is showing the path inside sandbox folder.

I consider this a glitch that should be fixed. I already requested a feature to show fake path in other conditions too:

http://forums.sandboxie.com/phpBB3/view ... =4&t=18356

[PiwPi]

Why do you think it's a glitch? Cryptolocker was activated inside the sandbox so it will encrypt all the files inside the sandbox. The filepath is correct. The only thing is how did Penguins.jpg get encrypted outside the sandbox.

[Nix]

Strange ...
Even upon deletion the file path to sample picture is not included.

[Buster]

@ Curt: any comment about this?

[nicknomo]

There are only three things I can think of...

1) There was an Immediate recovery box, in which the user could have accidentally recovered a single file...

2) All of the other files were in his profile folder. Sandboxie has two sandbox folders, one for the user and one for the drive. The public user folder would have ended up in the drive sandbox, and the path could have been hidden.

3) The Public user folder was given full access?

[Buster]

Curt: Please don´t miss commenting on this thread, please.

[Nix]

Anyone in Invincea care to comment on this...

[Curt@invincea]

I will look into this as soon as I have time.

[Hamy]

I think Buster, provided the best explanation so far. the sandbox applications, should not be able to see the real sandboxed locations of the files. sandboxie has the responsibility to intercept the api's being used to retrieve the files locations and adjust them. so the problem is not the application reporting Penguins.jpg file in "C:\Users\Public\Pictures\Sample Pictures", but rather every other single file, and the fact that the real location of the files, somehow leaked to the sandboxed program. Buster apparently has also identified the required api that needs to be intercepted to fix this. nice work . it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.
I also gave the Cryptoplocker a try myself just to make sure. and was able to reproduce this exact behavior. Even tho i am unsure atm why only that single file's location (C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg) differs from others in the malware's list of affected files, i can confirm that nothing has leaked from the sandboxie. and the real jpg file is still intact.

[Nix]

I also gave the Cryptoplocker a try myself just to make sure. and was able to reproduce this exact behavior. Even tho i am unsure atm why only that single file's location (C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg) differs from others in the malware's list of affected files, i can confirm that nothing has leaked from the sandboxie. and the real jpg file is still intact.

That's reassuring... but the bug still need to be fix!

[Buster]

Curt: Any update about this issue?

[Curt@invincea]

Buster and Hamy are correct. A sandboxed app should not be able to see the "real", sandboxed path. To Cryptolocker, they should all look like C:\Users\Public\Pictures\Sample Pictures\penguins.jpg.

This does not present any kind of a leak or hole. The sandboxed app cannot access the file outside the sandbox. The only issue here is that the sandboxed app can determine that it is inside a sandbox by looking at the file path. But there are many others ways to accomplish that goal already (that cannot be plugged). We will attend to these as soon as we can get to them.

[Buster]

Buster and Hamy are correct. A sandboxed app should not be able to see the "real", sandboxed path. To Cryptolocker, they should all look like C:\Users\Public\Pictures\Sample Pictures\penguins.jpg.

This does not present any kind of a leak or hole. The sandboxed app cannot access the file outside the sandbox. The only issue here is that the sandboxed app can determine that it is inside a sandbox by looking at the file path. But there are many others ways to accomplish that goal already (that cannot be plugged). We will attend to these as soon as we can get to them.

As Hamy pointed:

it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.

it is important to fix this issue not just because an app can determine is being run sandboxed, but also because legitimate software may get confused.

[Buster]

Curt: Do you know already why the malware is showing the path to sandbox?